CVE-2022-40320: cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read.
Created a PR: https://github.com/gentoo/gentoo/pull/30104
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5dce806e4b3a04419f125938501990818739bbb8 commit 5dce806e4b3a04419f125938501990818739bbb8 Author: Vaibhav Rustagi <vaibhavrustagi@google.com> AuthorDate: 2023-03-13 21:33:11 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-03-13 23:27:02 +0000 dev-libs/confuse: Add fix for CVE-2022-40320 The source of libconfuse package didn't make a release since Jun 24, 2020 (https://github.com/libconfuse/libconfuse). Therefore, to fix the CVE add a patch. [sam: adjust patch metadata, drop back to ~arch.] Bug: https://bugs.gentoo.org/901089 Signed-off-by: Vaibhav Rustagi <vaibhavrustagi@google.com> Closes: https://github.com/gentoo/gentoo/pull/30104 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/confuse/confuse-3.3-r2.ebuild | 62 ++++++++++++++++++++++ .../files/confuse-3.3-fix-CVE-2022-40320.patch | 39 ++++++++++++++ 2 files changed, 101 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0859f1f4d6a63e0d2257020ea7b31e4a0a881d0e commit 0859f1f4d6a63e0d2257020ea7b31e4a0a881d0e Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-09-10 20:46:53 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-09-10 20:48:26 +0000 dev-libs/confuse: drop 3.3, 3.3-r1 Bug: https://bugs.gentoo.org/901089 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-libs/confuse/confuse-3.3-r1.ebuild | 56 ---------------------------------- dev-libs/confuse/confuse-3.3.ebuild | 53 -------------------------------- 2 files changed, 109 deletions(-)
